Analysis
-
max time kernel
140s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 04:17
Behavioral task
behavioral1
Sample
a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll
Resource
win10v2004-20240508-en
General
-
Target
a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll
-
Size
76KB
-
MD5
3b8da76aaebec6d8aab5dacfd9fff370
-
SHA1
462c82c2a234ac9269e746f6d0976bd25ced9f00
-
SHA256
a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651
-
SHA512
6cafe4478155677b9e2a877a1edb25c839442c4ccbfd9f63286d25fc4070986b361a79f313de538858a3a99bfcaef1a65d64225c275056ed8d7c6362000423ea
-
SSDEEP
1536:YjV8y93KQpFQmPLRk7G50zy/riF12jvRyo0hQk7ZjL73:c8y93KQjy7G55riF1cMo03h3
Malware Config
Signatures
-
Modifies AppInit DLL entries 2 TTPs
-
Processes:
resource yara_rule behavioral2/memory/3080-0-0x0000000010000000-0x0000000010030000-memory.dmp upx behavioral2/memory/3080-1-0x0000000010000000-0x0000000010030000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 3080 rundll32.exe 3080 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 3080 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 2548 wrote to memory of 3080 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 3080 2548 rundll32.exe rundll32.exe PID 2548 wrote to memory of 3080 2548 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a527e2fffd6dddf3b87f2cb44333b9a8963c8dd56f8ff6bedb484f6abfc80651.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken